11 replies to this topic

[Computer User1234]

I can't kill Trojan.Vundo.H I am using the latest Malwarebytes Release and also the latest defintions. Also I can't uninstall "Total Security" spyware app by using Add/Remove Programs.

I appreciate your help, thank you in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:29:22 PM, on 9/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: (no name) - {02944EC4-EEA3-4F49-BA68-F013069C08A3} - C:\DOCUME~1\MIKERO~1\LOCALS~1\Temp\dm191.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {85C64ED9-D2B8-4E05-96D9-DF58F65CAA68} - c:\windows\system32\cthkcon.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://72.236.138.36/activex/AMC.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O20 - Winlogon Notify: djpzioeb - C:\WINDOWS\SYSTEM32\cthkcon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6716 bytes

Malwarebytes' Anti-Malware 1.41
Database version: 2791
Windows 5.1.2600 Service Pack 3

9/13/2009 3:36:44 PM
mbam-log-2009-09-13 (15-36-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 166875
Time elapsed: 46 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85c64ed9-d2b8-4e05-96d9-df58f65caa68} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\djpzioeb (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{85c64ed9-d2b8-4e05-96d9-df58f65caa68} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02944ec4-eea3-4f49-ba68-f013069c08a3} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{02944ec4-eea3-4f49-ba68-f013069c08a3} (Trojan.BHO.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\cthkcon.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\DOCUME~1\MIKERO~1\LOCALS~1\Temp\dm191.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.

[negster22]

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

• Close Internet Explorer and any other open browsers
  
• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click
  
• No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Launch HijackThis (HJT)by right-clicking the desktop shortcut and choosing "Run as Administrator". Choose the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":

O2 - BHO: (no name) - {02944EC4-EEA3-4F49-BA68-F013069C08A3} - C:\DOCUME~1\MIKERO~1\LOCALS~1\Temp\dm191.dll (file missing)
O2 - BHO: (no name) - {85C64ED9-D2B8-4E05-96D9-DF58F65CAA68} - c:\windows\system32\cthkcon.dll
O20 - Winlogon Notify: djpzioeb - C:\WINDOWS\SYSTEM32\cthkcon.dll

Close HJT

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingc...opic114351.html

Next, please perform a rootkit scan:

• Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  
• When the "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard and paste it in a reply back here
  
• Now, relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
  
• Leave your system completely idle while this longer scan is in progress.
  
• When the scan is done, save the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Exit the Program
  
• Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

---
Please download Combofix from one of these locations:
HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as explorer.exe

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
  
• You must rename Combofix.exe as you download it and not after it is on your computer.
  
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • Open Firefox
    
  • Click Tools -> Options -> Main
    
  • Under the downloads section check the button that says "Always ask me where to save files".
    
  • Click OK
• For Internet Explorer:
  • Choose to save, not open the file
    
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:
http://www.bleepingc...to-use-combofix

Very Important! Temporarily disable your Symantec antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html

Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers.
  
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post ARK.txt and C:\ComboFix.txt in your next reply.

[Computer User1234]

negster22, on Sep 14 2009, 02:50 AM, said:

Hi and Welcome to the Malwarebytes' forum.

Please download ATF Cleaner by Atribune

• Close Internet Explorer and any other open browsers
  
• Double-click ATF-Cleaner.exe to run the program.
  
• Under Main choose: Select All
  
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click
  
• No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Launch HijackThis (HJT)by right-clicking the desktop shortcut and choosing "Run as Administrator". Choose the Scan Only option. Close all programs except HJT and all browser windows, then check the following items for removal and click on "Fix Checked":

O2 - BHO: (no name) - {02944EC4-EEA3-4F49-BA68-F013069C08A3} - C:\DOCUME~1\MIKERO~1\LOCALS~1\Temp\dm191.dll (file missing)
O2 - BHO: (no name) - {85C64ED9-D2B8-4E05-96D9-DF58F65CAA68} - c:\windows\system32\cthkcon.dll
O20 - Winlogon Notify: djpzioeb - C:\WINDOWS\SYSTEM32\cthkcon.dll

Close HJT

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:
http://www.bleepingc...opic114351.html

Next, please perform a rootkit scan:

• Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  
• When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
  
• When the "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard and paste it in a reply back here
  
• Now, relaunch the ARK program, and click the Rootkit/Malware tab,and then select the Scan button.
  
• Leave your system completely idle while this longer scan is in progress.
  
• When the scan is done, save the scan log to the Windows clipboard
  
• Open Notepad or a similar text editor
  
• Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  
• Exit the Program
  
• Save the Scan log as ARK.txt and post it in your next reply. If the log is very long attach it please.

---
Please download Combofix from one of these locations:
HERE or HERE

I want you to rename Combofix.exe as you download it to a name of your choice such as explorer.exe

Notes:

• It is very important that save the newly renamed EXE file to your desktop.
  
• You must rename Combofix.exe as you download it and not after it is on your computer.
  
  You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
  • Open Firefox
    
  • Click Tools -> Options -> Main
    
  • Under the downloads section check the button that says "Always ask me where to save files".
    
  • Click OK
• For Internet Explorer:
  • Choose to save, not open the file
    
  • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already:
http://www.bleepingc...to-use-combofix

Very Important! Temporarily disable your Symantec antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:
http://www.bleepingc...opic114351.html

Also, disable your firewall!
You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

• Close any open browsers.
  
• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt
3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post ARK.txt and C:\ComboFix.txt in your next reply.

As requeGMER 1.0.15.15077 [bss77s9v.exe] - http://www.gmer.net
Rootkit quick scan 2009-09-13 23:12:45
Windows 5.1.2600 Service Pack 3

as requested here is the clipboard contents from the Antirootkit program:


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

[Computer User1234]

Computer User1234, on Sep 14 2009, 04:16 AM, said:

As requeGMER 1.0.15.15077 [bss77s9v.exe] - http://www.gmer.net
Rootkit quick scan 2009-09-13 23:12:45
Windows 5.1.2600 Service Pack 3

as requested here is the clipboard contents from the Antirootkit program:


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Here is the latest information files - Ark.txt, Combo.fix and another Hijackthis that was run after the Combo.fix

I notice that I still have a "Total Security" Application that shows up in my Add/Remove Application Listing, what has to be done to get rid of that piece of spyware? Thanks. I appreciate your help.


GMER 1.0.15.15077 [trqcgsrc.exe] - http://www.gmer.net
Rootkit scan 2009-09-14 01:28:09
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT E1B37400 ZwConnectPort

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntoskrnl.exe!SeAuditingFileEventsWithContext + 3D 805683FA 7 Bytes JMP 82FE6570

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- EOF - GMER 1.0.15 ----


ComboFix 09-09-13.05 - Mike Roy Auto 09/14/2009 1:46.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.184 [GMT -4:00]
Running from: c:\documents and settings\Mike Roy Auto\Desktop\Cb1231.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\TS\tsc.exe
c:\recycler\S-1-5-21-1433678514-3411340332-2596020146-1003
c:\recycler\S-1-5-21-515967899-1580436667-725345543-1003
c:\windows\system32\cthkcon.dll
c:\windows\system32\drivers\uhyeybry.sys
c:\windows\system32\drivers\wceclzsu.sys
c:\windows\system32\vghmhrxf.dll
c:\windows\system32\wsyyhze.dll
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WCECLZSU
-------\Service_wceclzsu


((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.

2009-09-14 03:03 . 2009-09-14 05:30 -------- d-----w- C:\Ark
2009-09-13 19:55 . 2009-09-13 19:55 -------- d-----w- c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\Mozilla
2009-09-13 15:48 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 15:48 . 2009-09-13 15:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-13 15:48 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-13 06:44 . 2004-03-05 03:46 83168 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-09-13 06:44 . 2004-03-05 03:46 82832 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-09-13 06:43 . 2009-09-13 06:44 -------- d-----w- c:\program files\Symantec
2009-09-13 06:43 . 2009-09-14 05:56 -------- d-----w- c:\program files\Symantec AntiVirus
2009-09-13 06:43 . 2009-09-13 06:44 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-09-13 06:04 . 2009-09-13 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-13 06:03 . 2009-09-13 15:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-13 06:03 . 2009-09-13 15:41 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\SUPERAntiSpyware.com
2009-09-13 05:44 . 2009-09-13 05:44 -------- d-----w- c:\program files\CCleaner
2009-09-13 04:46 . 2009-09-13 04:46 -------- d-----w- c:\program files\Trend Micro
2009-09-12 15:32 . 2009-09-13 15:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-12 14:57 . 2009-09-12 14:57 -------- d-----w- c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\hgmxqsde
2009-09-12 14:57 . 2009-09-12 14:57 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde
2009-09-12 13:33 . 2009-09-12 13:33 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\Malwarebytes
2009-09-12 13:33 . 2009-09-12 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-11 18:03 . 2009-09-11 18:03 -------- d-----w- c:\program files\Common Files\TSUninstall
2009-09-11 18:02 . 2009-09-14 05:53 -------- d-----w- c:\program files\TS
2009-09-10 19:38 . 2009-09-10 19:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\hgmxqsde
2009-09-10 19:38 . 2009-09-10 19:38 -------- d-----w- c:\documents and settings\NetworkService\Application Data\hgmxqsde
2009-09-08 19:33 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 03:23 . 2007-03-24 15:49 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\OpenOffice.org2
2009-09-13 15:36 . 2007-12-18 19:35 -------- d-----w- c:\program files\Coupons
2009-09-13 07:42 . 2007-12-08 16:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-13 07:28 . 2007-12-08 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-13 06:43 . 2004-05-12 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-13 04:52 . 2007-04-23 17:15 -------- d-----w- c:\program files\WebIQ
2009-09-12 16:03 . 2009-01-09 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-12 16:00 . 2009-07-27 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure
2009-08-27 17:50 . 2007-03-27 16:41 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\AdobeUM
2009-08-22 14:16 . 2009-01-09 22:46 -------- d-----w- c:\program files\NortonInstaller
2009-08-22 14:14 . 2009-01-09 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-14 10:58 . 2009-09-12 15:34 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-07 14:21 . 2007-03-24 02:59 56504 ----a-w- c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 20:59 . 2009-08-06 20:59 -------- d-----w- c:\program files\MSBuild
2009-08-06 20:59 . 2009-08-06 20:59 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2002-12-12 07:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-27 14:18 . 2009-07-27 14:17 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\DriverCure
2009-07-27 14:16 . 2009-07-27 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2009-07-17 19:01 . 2004-05-12 09:42 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2004-05-12 10:07 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2005-10-21 17:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-05-12 09:42 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-05-12 09:43 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-05-12 09:43 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-05-12 09:43 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-05-12 09:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-05-12 09:42 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-24 11:18 . 2004-05-12 09:42 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-05-12 09:43 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-05-12 09:42 81920 ----a-w- c:\windows\system32\fontsub.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-12 77824]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-10-06 161096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MPlayer2_FixUp"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896]

c:\documents and settings\Mike Roy Auto\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-4-24 972064]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/6/2004 5:56 PM 173392]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - WCECLZSU
*Deregistered* - wceclzsu

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ofgmwotm
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://72.236.138.36/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Mike Roy Auto\Application Data\Mozilla\Firefox\Profiles\vibazv7k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-ID - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 01:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3892)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\OpenOffice.org 2.1\program\soffice.exe
c:\program files\OpenOffice.org 2.1\program\soffice.bin
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2009-09-14 2:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-14 06:02

Pre-Run: 62,896,451,584 bytes free
Post-Run: 66,088,554,496 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

188 --- E O F --- 2009-09-11 18:28





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:13 AM, on 9/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Mike Roy Auto\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups (User 'Default user')
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://72.236.138.36/activex/AMC.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6421 bytes

[Computer User1234]

Thanks for all of your help. Total Security was easy to remove from the add/remove list, as there was no program behind it.

Full scan with Malwarebytes was clean. Computer is now back to normal thanks again. This item can be considered closed.

[negster22]

I'm glad your computer is better but your Combofix log still shows some infected items which I will help you remove with a customized script. You should do this so the infection doesn't resurface again.

Open Notepad
On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled)
Copy/paste the text in the code box below into Notepad.

KillAll::

Driver::
wceclzsu

Folder::
c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\hgmxqsde
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde
c:\program files\Common Files\TSUninstall
c:\program files\TS
c:\documents and settings\NetworkService\Local Settings\Application Data\hgmxqsde
c:\documents and settings\NetworkService\Application Data\hgmxqsde
 c:\documents and settings\All Users\Application Data\ParetoLogic

Netsvc::
ofgmwotm

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000

Save this to your desktop as CFScript.txt by selecting File -> Save as.



Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdsk or any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

Referring to the picture above, drag CFScript.txt into your renamed ComboFix.exe (Cb1231.exe)

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes.

[Computer User1234]

negster22, on Sep 14 2009, 03:04 PM, said:

I'm glad your computer is better but your Combofix log still shows some infected items which I will help you remove with a customized script. You should do this so the infection doesn't resurface again.

Open Notepad
On the Notepad menu, choose "Format" and make sure that Word Wrap is unchecked (disabled)
Copy/paste the text in the code box below into Notepad.

KillAll::

Driver::
wceclzsu

Folder::
c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\hgmxqsde
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde
c:\program files\Common Files\TSUninstall
c:\program files\TS
c:\documents and settings\NetworkService\Local Settings\Application Data\hgmxqsde
c:\documents and settings\NetworkService\Application Data\hgmxqsde
 c:\documents and settings\All Users\Application Data\ParetoLogic

Netsvc::
ofgmwotm

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000

Save this to your desktop as CFScript.txt by selecting File -> Save as.



Very Important: Disable ALL security program active protection components at this time including any and all antispyware and antivirus monitor/guards you have running!!

Also, disable any task(s) scheduled to run automatically upon reboot, such as chkdsk or any scanners. If Windows is in the middle of updating and it needs to reboot to finish the updating process, allow it to complete that first - before attempting to run Combofix.

Referring to the picture above, drag CFScript.txt into your renamed ComboFix.exe (Cb1231.exe)

This will cause ComboFix to run again.

Please post back the log that is opens when it finishes.

Wow, thanks for being soo dilligent. I will run that tonight and get back to you.

Thanks again.

Mike

[Computer User1234]

OK I uninstalled Symantec last night and installed avast this morning. I will make sure to disable avast first prior to running it.

Thanks again. Will be getting back to you tonight.

Mike

[Computer User1234]

Computer User1234, on Sep 14 2009, 03:30 PM, said:

OK I uninstalled Symantec last night and installed avast this morning. I will make sure to disable avast first prior to running it.

Thanks again. Will be getting back to you tonight.

Mike

Here is the contents of the log file Combofix.txt, I am looking forward to hearing from you.

Thanks, Mike

ComboFix 09-09-14.02 - Mike Roy Auto 09/14/2009 20:36.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.232 [GMT -4:00]
Running from: c:\documents and settings\Mike Roy Auto\Desktop\cb1231.exe
Command switches used :: c:\documents and settings\Mike Roy Auto\Desktop\cfscript.txt
AV: avast! antivirus 4.8.1351 [VPS 090914-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ParetoLogic
c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Master.xml
c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Patch.xml
c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\DriverCure\Update.xml
c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Master.xml
c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Patch.xml
c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Update.xml
c:\documents and settings\Diann Jasinski\Application Data\Microsoft\Installer\{49FC50FC-F965-40D9-89B4-CBFF80941033}\ARPPRODUCTICON.exe
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\profiles.ini
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\cert8.db
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\compatibility.ini
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\compreg.dat
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\cookies.sqlite
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\formhistory.sqlite
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\key3.db
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\localstore.rdf
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\permissions.sqlite
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\places.sqlite
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\pluginreg.dat
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\prefs.js
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\secmod.db
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\webappsstore.sqlite
c:\documents and settings\Mike Roy Auto\Application Data\hgmxqsde\Profiles\uibmp3o1.default\xpti.dat
c:\documents and settings\Mike Roy Auto\Application Data\Microsoft\Installer\{49FC50FC-F965-40D9-89B4-CBFF80941033}\ARPPRODUCTICON.exe
c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\hgmxqsde
c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\hgmxqsde\Profiles\uibmp3o1.default\urlclassifier3.sqlite
c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\hgmxqsde\Profiles\uibmp3o1.default\XPC.mfl
c:\documents and settings\NetworkService\Application Data\hgmxqsde
c:\documents and settings\NetworkService\Application Data\hgmxqsde\profiles.ini
c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\cert8.db
c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\key3.db
c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\places.sqlite-journal
c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\prefs.js
c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\secmod.db
c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\hgmxqsde
c:\documents and settings\NetworkService\Local Settings\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\hgmxqsde\Profiles\5wwcdjl2.default\XPC.mfl
c:\program files\Common Files\TSUninstall
c:\program files\Common Files\TSUninstall\Uninstall.lnk
c:\program files\TS
c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{49FC50FC-F965-40D9-89B4-CBFF80941033}\ARPPRODUCTICON.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WCECLZSU


((((((((((((((((((((((((( Files Created from 2009-08-15 to 2009-09-15 )))))))))))))))))))))))))))))))
.

2009-09-14 12:31 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-14 12:31 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-14 12:31 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-14 12:31 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-14 12:31 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-14 12:31 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-14 12:31 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-14 12:31 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-14 12:31 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-13 19:55 . 2009-09-13 19:55 -------- d-----w- c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\Mozilla
2009-09-13 06:04 . 2009-09-13 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-13 06:03 . 2009-09-13 15:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-09-13 06:03 . 2009-09-13 15:41 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\SUPERAntiSpyware.com
2009-09-13 05:44 . 2009-09-13 05:44 -------- d-----w- c:\program files\CCleaner
2009-09-13 04:46 . 2009-09-13 04:46 -------- d-----w- c:\program files\Trend Micro
2009-09-12 15:32 . 2009-09-13 15:39 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-12 13:33 . 2009-09-12 13:33 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\Malwarebytes
2009-09-12 13:33 . 2009-09-12 13:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-08 19:33 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 22:54 . 2007-03-24 15:49 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\OpenOffice.org2
2009-09-14 12:24 . 2004-05-12 10:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-09-14 12:22 . 2007-12-08 16:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-14 12:22 . 2007-12-08 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-13 15:36 . 2007-12-18 19:35 -------- d-----w- c:\program files\Coupons
2009-09-13 04:52 . 2007-04-23 17:15 -------- d-----w- c:\program files\WebIQ
2009-09-12 16:03 . 2009-01-09 22:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-09-12 16:00 . 2009-07-27 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure
2009-08-27 17:50 . 2007-03-27 16:41 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\AdobeUM
2009-08-22 14:16 . 2009-01-09 22:46 -------- d-----w- c:\program files\NortonInstaller
2009-08-22 14:14 . 2009-01-09 22:46 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-14 10:58 . 2009-09-12 15:34 7396 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-08-07 14:21 . 2007-03-24 02:59 56504 ----a-w- c:\documents and settings\Mike Roy Auto\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 20:59 . 2009-08-06 20:59 -------- d-----w- c:\program files\MSBuild
2009-08-06 20:59 . 2009-08-06 20:59 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2002-12-12 07:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-27 14:18 . 2009-07-27 14:17 -------- d-----w- c:\documents and settings\Mike Roy Auto\Application Data\DriverCure
2009-07-17 19:01 . 2004-05-12 09:42 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2004-05-12 10:07 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2005-10-21 17:51 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-05-12 09:42 17408 ------w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2005-06-15 17:50 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:25 . 2004-05-12 09:43 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-05-12 09:43 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-05-12 09:43 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-05-12 09:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-05-12 09:42 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-24 11:18 . 2004-05-12 09:42 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-14_05.57.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-15 00:43 . 2009-09-15 00:43 16384 c:\windows\temp\Perflib_Perfdata_478.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-13 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-12 77824]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MPlayer2_FixUp"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896]

c:\documents and settings\Mike Roy Auto\Start Menu\Programs\Startup\
OpenOffice.org 2.1.lnk - c:\program files\OpenOffice.org 2.1\program\quickstart.exe [2006-11-27 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-4-24 972064]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/14/2009 8:31 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/14/2009 8:31 AM 20560]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://72.236.138.36/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\Mike Roy Auto\Application Data\Mozilla\Firefox\Profiles\vibazv7k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
AddRemove-BigFix - c:\windows\ISUNINST.EXE -fc:\program files\BigFix\Uninst.isu
AddRemove-Lexmark X6100 Series - c:\windows\system32\spool\drivers\w32x86\3\LXBFUN5C.EXE
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9b.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 20:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1356)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\OpenOffice.org 2.1\program\soffice.exe
c:\program files\OpenOffice.org 2.1\program\soffice.bin
c:\windows\system32\wscntfy.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
.
**************************************************************************
.
Completion time: 2009-09-15 20:49 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-15 00:49
ComboFix2.txt 2009-09-14 06:02

Pre-Run: 66,137,145,344 bytes free
Post-Run: 66,154,446,848 bytes free

213 --- E O F --- 2009-09-11 18:28

[negster22]

Good job! Your computer appears to be clean now.

We have a few steps to finish up now.
You should update your version of the Sun Java Platform (JRE) to the newest version which is Java Runtime Environment (JRE) 6 Update 16, if you have not done that already.

You can check your currently installed JRE version here.
If you find you need to update to Java Runtime Environment (JRE) 6 Update 16, then follow these steps:

1. Download the latest JRE version at the http://java.sun.com/...loads/index.jsp Sun Microsystem's website
2. Select the option that says: "JRE 6 Update 16
This special release provides a few key fixes", and click Download button.
3. Select your platform: Windows, in the pull down menu.
4. Check the box that says: "I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement."
5. Click Continue.
6. Under the Windows Platform - Java ™ SE Runtime Environment 6 Update 16 section, click on the link to download the Windows Offline Installation and save the installer to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Next, remove all older versions of the Sun Java Platform using the Control Panel's Add/Remove Program feature (as they may contain security vulnerabilities).
9. Reboot your system
10. Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version of the Sun Java Platform
12. If the Yahoo Toolbar is prechecked for installation be sure to UNCHECK it, if you do not care to have it, or already have it installed - it is not part of the JRE install and totally unnecessary.
13. You may verify that the current version installed properly by clicking http://java.com/en/d...d/installed.jsp here.

Now clear the Java cache:

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
  
  
• Next, click on the Delete Files button
  
  
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    
    
  • Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  
  
• Click OK to leave the Temporary Files Window
  
  
• Click OK to leave the Java Control Panel.

-
If I asked you to download and run an ARK (Antirootkit program, then please uninstall it by doing the following:

• Delete the contents of the folder C:\ARK
  
• Delete the C:\ARK folder

Let's remove Combofix and all its associated files including those in quarantine:
Click start -> run, then copy and paste the following line into the Open box and click OK.

"%userprofile%\desktop\cb1231.exe" /u

This will do the following:

• Uninstall Combofix and all its associated files and folders.
  
• It will flush your system restore points and create a new restore point.
  
• It will rehide your system files and folders
  
• Reset your system clock

---
Here are some additional measures you should take to keep your system in good working order and ensure your continued security.

1. Scan your system for outdated versions of commonly used software applications that may also cause your PC be vulnerable, using the Secunia Online Software Inspector (OSI). This is very important because recent statistics confirm that an overwhelming majority of infections are aquired through application not Operating System flaws. Commonly used programs like Quicktime, Java, and Adobe Acrobat Reader, itunes, and many others are commonly targeted today. You can make your computer much more secure if you update to the most current versions of these programs and any others that Secunia alerts you to.

Just click the "Start Scanner" button to get a listing of all outdated and possibly insecure resident programs.

Note: If your firewall prompts you about access, allow it.

2. Keep MBAM as an on demand scanner because I highly recommend it, and the quick scan will find most all active malware in minutes.

3. You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location. Just double-click StartUpLite.exe. Then, check the options you would like based on the descriptions provided, then select continue. This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

4. Download and install SpywareBlaster:
http://www.javacools...areblaster.html
Update it and the enable protection for all unprotected items.
You will have to update the free version manually about once a month by clicking the Updates button. You can refer to the Calendar of Updates Website to see when SpywareBlaster and other programs that do not autoupdate have new definitions or program updates available.

Finally, please follow the suggestions offered by Tony Klein in How did I get infected in the first place. so you can maintain a safe and secure computing environment.

Happy Surfing!

[Computer User1234]

Once again thank you very much. What was I infected with?

How does someone linke myself get started on this forum with being able to help other people with these type of problems?

Thanks, Mike

[negster22]

You're welcome! You were infected with a rogue security program called Total Security and Delf / Boaxxe which installs a driver and fake Firefox directory to hold the infection in place. The delf driver is randomly named so it is difficult to target.
http://www.threatexpert.com/report.aspx?md...d1d64cfe28116b7

As far as training to become a malware removal advisor - here is a list of forums that offer such programs:

Spywareinfoforum Boot Camp:
http://www.spywarein...hp?showtopic=34

Malware Removal Forum training program at Bleeping Computer:
http://www.bleepingc...topic86678.html

Geek University at Geeks to Go
http://www.geekstogo.com/forum/index.php?a...&page=GeekU

Malware Removal University (you have to register to see the page):
http://www.malwarere.../university.php

SpywareHammer's Academy offers one-on-one training with a mentor who is assigned to you:
http://spywarehammer...forum/index.php
If interested, you need to contact Bugbatter to request admittance but Register first.
http://spywarehammer.com/simplemachinesfor...ion=profile;u=9